…i sogni verranno da te…(R. Paush)

DARPA targets $4.8M to close backdoor security problems

11 dicembre 2013by Paolo Gangi

The Defense Advanced Research Projects Agency has written a check for $4.8 million to Raytheon BBN Technologies and GrammaTech to build software that blocks backdoor security holes in commodity network devices.

The contract falls under DARPA’s Vetting Commodity IT Software and Firmware (VET) program which address the threat of malicious code hidden in mobile phones, network routers, computer workstations and other networked devices can be secretly modified to function in unintended ways or spy on users.

Under VET, GrammaTech and Raytheon BBN said they intend to develop tools and techniques to let organizations inspect the network-enabled devices software and firmware and protect them from attack. Raytheon plans to develop techniques that enable analysts to prioritize elements of software and firmware to examine for hidden malicious code. GrammaTech also said it plans to develop the tools that examine the software and firmware to let analysts demonstrate that they do not have exploitable security vulnerabilities.

“Backdoors, malicious software and other vulnerabilities unknown to the user could enable an adversary to use a device to accomplish a variety of harmful objectives, including the exfiltration of sensitive data and the sabotage of critical operations. Determining the security of every device the Department of Defense uses in a timely fashion is beyond current capabilities,” DARPA stated. VET will look to develop systems that can verify the security of commercial IT devices. IT’s growing dependence on the global supply chain makes device, software and firmware security an imperative, DARPA stated.

According to DARPA, VET is looking to address three technical challenges:

Define malice: Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?

Confirm the absence of malice: Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?

Examine equipment at scale: Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device used by the Department of Defense prior to deployment?